The Culture of Code

You may find following tips useful when setting up continuous integration infrastructure.
Security Use VPN or reverse proxy provider like cloudflare.com to secure your CI infrastructure. Never make your real IPs publicly available, otherwise you increase a risk of being hacked.
Jenkins Use master node and build agents. Master node acts only as web console. Nodes are for compiling and testing.
Notifications If you’re using google apps for domain, you may use Google’s restricted SMTP server to send notifications.…

Making your web application flawless against security attacks is a challenge for every java developer.
In this article I will briefly describe common practical development techniques that can help you to achieve it.

OWASP Top 10, a list of the 10 Most Critical Web Application Security Risks, includes following risks:

A1 - Injection

A2 - Broken Authentication & Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10 - Unvalidated Redirects and Forwards

In this article I will highlight most important java coding techniques for building secure web applications.

Deploying application into secure environment adds some restrictions on logging and log management. OWASP community gives some useful recommendations.
OWASP Security Testing Guide Recommendations OWASP Security Testing Guide defines a number of questions to be answered when reviewing applciaiton logging configuration (see OTG-CONFIG-002):
1. Do the logs contain sensitive information? Log files should not contain any sensitive data. Anyway, log file access must be restricted:
Event log information should never be visible to end users.…

One of the first receipts I came across was Thomas Termin’s one. He suggests adding a ChannelHandler which will schedule the calling of client’s connect() method once a Channel becomes inactive. Plus adding ChannelFutureListener which will re-create a bootstrap and re-connect if initial connection was failed.

Although this is a working solution, I had a feeling that something is not optimal. Namely, the new Bootstrap is being created on every connection attempt.

So, I created a FutureListener which should be registered once a Channel is closed.

I’ve been meaning to write a small tutorial for building web applications. Now it’s time!
Let’s define the steps and choose some solutions for developing back-end java web application.

I will give my design recommendations and list a technologies I would use. You may have your own opinion and you may share it in comment. Over time, this post may change since my favourites are also changing over time.

There are situations when you need to analyze user’s experience but can’t use a third-party web analytics solutions like Google Analytics or Yandex Metrika. For example, if your production environment is PCI DSS compliant. In this case you have to deploy self-hosted analytics engine and inside your environment and configure user actions tracking in your application.
One of the possible solutions is the piwik as analytics engine + Angulartics or angular-piwik for tracking events inside AngularJS application.…